Python Mercenaries
Nginx is one of the top applications for web traffic management. I personally love to use Nginx as a load balancer and reverse proxy for production. Even when applications provide their own web server to serve content, its easier to management many applications and websites with Nginx as the common point to configure, secure, and update routing.
The most secure way to install an application would be to download their gpg key and compare its verification hash to what you received. For Nginx, I could not find a published verification hash which isnt uncommon to be honest. Using Ubuntu as our demo VM we can configure the apt source management file and then trigger installation and enable nginx under systemd management.
Make sure to update your salt top.sls file to ensure your salt minion is allowed to use this nginx.sls file. usually you can find it at /srv/salt/top.sls
# file: /srv/salt/nginx/init.sls install_security_deps_nginx: pkg.installed: - pkgs: - gnupg2 - ca-certificates - ubuntu-keyring # can't find verification hashes from nginx ensure_nginx_gpg_key_present: file.managed: - name: /etc/apt/keyrings/nginx_signing.key - source: https://nginx.org/keys/nginx_signing.key - skip_verify: True # setting official nginx repository ensure_nginx_repository_present: pkgrepo.managed: - humanname: official Nginx stable repository - name: | deb [signed-by=/etc/apt/keyrings/nginx_signing.key] http://nginx.org/packages/mainline/ubuntu/ {% raw %}{{ grains.oscodename }}{% endraw %} nginx - file: /etc/apt/sources.list.d/nginx.list - keyurl: https://nginx.org/keys/nginx_signing.key - aptkey: False - disabled: False - refresh: True - architectures: amd64 install_nginx: pkg.installed: - pkgs: - nginx # start nginx application nginx_for_systemd_enable: service.running: - name: nginx - enable: True
When executed you should get back something similar to this:
# salt \* state.apply nginx demo-minion: ---------- ID: install_security_deps_nginx Function: pkg.installed Result: True Comment: All specified packages are already installed Started: 16:50:51.798513 Duration: 36.102 ms Changes: ---------- ID: ensure_nginx_gpg_key_present Function: file.managed Name: /etc/apt/keyrings/nginx_signing.key Result: True Comment: File /etc/apt/keyrings/nginx_signing.key updated Started: 16:50:51.836737 Duration: 3.26 ms Changes: - ---------- diff: New file mode: 0644 ---------- ID: ensure_nginx_repository_present Function: pkgrepo.managed Name: deb [signed-by=/etc/apt/keyrings/nginx_signing.key] http://nginx.org/packages/mainline/ubuntu/ jammy nginx Result: True Comment: Configured package repo 'deb [signed-by=/etc/apt/keyrings/nginx_signing.key] http://nginx.org/packages/mainline/ubuntu/ jammy nginx ' Started: 16:50:51.840789 Duration: 8532.835 ms Changes: - ---------- repo: deb [signed-by=/etc/apt/keyrings/nginx_signing.key] http://nginx.org/packages/mainline/ubuntu/ jammy nginx ---------- ID: install_nginx Function: pkg.installed Result: True Comment: The following packages were installed/updated: nginx Started: 16:51:00.373780 Duration: 7841.066 ms Changes: - ---------- nginx: - ---------- new: 1.25.4-1~jammy old: ---------- ID: nginx_for_systemd_enable Function: service.running Name: nginx Result: True Comment: Service nginx is already enabled, and is running Started: 16:51:08.226680 Duration: 88.846 ms Changes: - ---------- nginx: True Summary for demo-minion ------------ Succeeded: 5 (changed=4) Failed: 0 ------------ Total states run: 5 Total run time: 16.502 s
Systemd will also report Nginx running and under its management with a status check.
# systemctl status nginx ● nginx.service - nginx - high performance web server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2024-04-09 16:51:08 UTC; 38s ago Docs: https://nginx.org/en/docs/ Process: 1753530 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS) Main PID: 1753531 (nginx) Tasks: 3 (limit: 4667) Memory: 3.2M CPU: 12ms CGroup: /system.slice/nginx.service ├─1753531 "nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf" ├─1753532 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" └─1753533 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" Apr 09 16:51:08 ip-172-31-25-48 systemd[1]: Starting nginx - high performance web server... Apr 09 16:51:08 ip-172-31-25-48 systemd[1]: Started nginx - high performance web server. root@ip-172-31-25-48:~#
Nginx has a simple configuration layout to follow for serving traffic. All configuration files go into /etc/nginx/sites-available/ directory and then symlinked to the /etc/nginx/sites/enabled/ directory. This way you can configure without serving traffic by simply removing or abstaining the symlink file. Here I will use Calibre ebook server conf file for the demo.
# file: /srv/salt/state/nginx/calibre.sls ensure_calibre_nginx_file_present: file.managed: - name: /etc/nginx/sites-available/calibre.conf - source: salt://nginx/files/calibre.conf - makedirs: True - create: True # symlink available to enabled symlink_calibre_available_to_enabled: file.symlink: - name: /etc/nginx/sites-enabled/calibre.conf - target: /etc/nginx/sites-available/calibre.conf - makedirs: True # nginx will pick up the new configuration file. nginx_load_keys: module.run: - name: nginx.signal - signal: reload - require: - ensure_calibre_nginx_file_present
Salt is using signal:reload to ensure nginx reloads (not restarts) to gain the new configuration and begin serving as described in the new calibre.conf file.
many application we may use to form our software suite are coded in different languages, developed in novel paradigms, and with different scope of use in mind. The http and https protocols are a standardization we can look to form stability and consistency with Nginx so as to not get tripped up by unfamiliar application configuration for public access. Salt can further ensure this application of stability can be easy to deploy and be securely maintained from configuration drift.